[gatein-issues] [JBoss JIRA] Created: (GTNPORTAL-2082) j_security_check request is sent as GET method.
Takayuki Konishi (JIRA)
jira-events at lists.jboss.org
Wed Sep 7 08:07:26 EDT 2011
j_security_check request is sent as GET method.
-----------------------------------------------
Key: GTNPORTAL-2082
URL: https://issues.jboss.org/browse/GTNPORTAL-2082
Project: GateIn Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: 3.2.0-M01
Reporter: Takayuki Konishi
j_sequrity_check request is sent like:
http://localhost:8080/portal/private/j_security_check?j_username=root&j_password=wci-ticket-1044265597&initialURI=/portal/private/classic
The "root" value is user typed value and recorded in a browser history and server side logs like access_log of apache that not expected to record such sensitive information.
It causes some problems of security like a shoulder hacking in client side and it put an unnecessary burden to server administrators because they have to manage sensitive information in logs.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the gatein-issues
mailing list